Cisco Security Flap: Much Ado About Something

There's no surer way to call mass attention to a sensitive subject you're trying to downplay than to tell the public to mind its own business.

Yes, Cisco had every right to sue, but sometimes it's best to just lay low. Whether you're a politician, celebrity or technology vendor, there's no surer way to call mass attention to the sensitive subject you're trying to downplay than to declare the public isn't entitled to know anything more about it. If you're Cisco, you certainly don't threaten a 24-year-old researcher and the organizers of a conference whose attendees already are cynical of authority. The fiercely independent infosec community doesn't take kindly to being pushed around, as evidenced by the ovation Lynn received at Black Hat. If Cisco had just left the lad alone, his 15 minutes would have amounted to a nanosecond and few people today would be talking about security vulnerabilities in Cisco networking gear.

Cisco says that it disclosed the IOS vulnerability and issued a patch in April--that Lynn described only a new and different way to exploit the flaw. Regardless, the "heightened sense of public awareness"--as a Cisco spokesman described the Lynn kerfuffle--prodded the company to issue a more detailed security advisory late last month, explaining how IOS is vulnerable to denial-of-service attacks and possibly to a more dangerous remote exploit. Cisco also posted a list of the fixed versions of IOS that customers could adopt, as well as a work-around. Hopefully, Cisco shops are paying attention and Cisco learned something about the value of communicating openly with customers and the public.

'Premature' Findings

But if Cisco was willing to come clean, why did it raise such a stink about Lynn's Black Hat presentation? Cisco and ISS maintain that Lynn's research was "premature" and that they planned to present a more developed version of it at a later security conference. We'll see.

For his part, Lynn says he felt compelled to report the IOS vulnerability before it was exploited in attacks on the Internet, though he maintains he never revealed details that would abet an attacker.